What is the CVSS score of EUVD-2025-209124?

EUVD-2025-209124 has a CVSS 3.1 base score of 3.8 (Low). CVSS vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2025-209124?

Yes, a patch is available for EUVD-2025-209124. Update the affected software to the latest version immediately.

OpenSC EUVD-2025-209124

| CVE-2025-49010 LOW

Stack-based Buffer Overflow (CWE-121)

2026-03-30 GitHub_M

Buffer Overflow Stack Overflow

3.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Physical

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

0.27.0

EUVD ID Assigned

Mar 30, 2026 - 17:36 euvd

EUVD-2025-209124

Analysis Generated

Mar 30, 2026 - 17:36 vuln.today

CVE Published

Mar 30, 2026 - 16:59 nvd

LOW 3.8

DescriptionNVD

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.

AnalysisAI

Stack buffer overflow in OpenSC's GET RESPONSE handler prior to version 0.27.0 allows local attackers with physical access to trigger memory corruption via specially crafted smart card or USB device responses to APDUs. The vulnerability requires user interaction and physical proximity, limiting its practical exploitability; however, it could enable local privilege escalation or information disclosure when an authorized user or administrator actively uses a token. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

OpenSC is middleware for smart card and token management on desktop systems. The vulnerability exists in the GET RESPONSE APDU handler, which processes responses from smart cards or USB tokens. When a crafted token returns specially formed APDU responses, a stack buffer overflow (CWE-121) occurs, allowing an attacker to write beyond allocated stack memory boundaries. The attack surface is limited to the APDUs exchanged during token interaction; the attacker must control the physical device or perform a man-in-the-middle attack on the USB/smart card interface. Affected versions are all releases prior to 0.27.0, as identified by the CPE range cpe:2.3:a:opensc:opensc:*:*:*:*:*:*:*:* without upper-bound version.

RemediationAI

Vendor-released patch: OpenSC version 0.27.0 and later. Update from official distribution channels or rebuild from source. For users unable to upgrade immediately, limit physical access to computers during token operations and monitor for suspicious device behavior. Environment controls such as restricting USB device insertion policies and using only trusted, pre-vetted smart cards or tokens can mitigate risk. Refer to the official security advisory at https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4 for detailed remediation guidance.

Vendor StatusVendor

EUVD-2025-209124 vulnerability details – vuln.today

Back